Cisco ASA 5500 AnyConnect Setup From Command Line
KB ID 0000943 Dtd 21/04/14
Problem
Also See Cisco ASA5500 AnyConnect SSL VPN
This procedure was done on Cisco ASA version 8.4, so it uses all the newer NAT commands. I'm also going to use self signed certificates so you will see this error when you attempt to connect.Solution
1. The first job is to go get the AnyConnect client package, (download it from Cisco with a current support agreement). Then copy it into the firewall via TFTP. If you are unsure how to do that see the following article.Install and Use a TFTP Server
Petes-ASA(config)# copy tftp flash
Address or name of remote host [10.254.254.183]? 192.168.80.1
Source filename []?anyconnect-win-3.1.05152-k9
Destination filename [anyconnect-win-3.1.05152-k9]? {Enter}
Accessing tftp://192.168.80.1/anyconnect-win-3.1.05152-k9...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-3.1.05152-k9...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#
2. Create a 'pool' of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.Address or name of remote host [10.254.254.183]? 192.168.80.1
Source filename []?anyconnect-win-3.1.05152-k9
Destination filename [anyconnect-win-3.1.05152-k9]? {Enter}
Accessing tftp://192.168.80.1/anyconnect-win-3.1.05152-k9...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-3.1.05152-k9...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#
Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNETPetes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0
3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNETPetes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
Petes-ASA(config-webvpn)# anyconnect enable
4. I'm going to create a local username and password, you may choose to use RADIUS or Kerberos AAA. I'm also going to create an ACL that we will use for split tunneling in a minute.Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
Petes-ASA(config-webvpn)# anyconnect enable
Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
5. Create a group policy, change the values to match your DNS server(s), and domain name.Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com
6. Create a matching tunnel-group that ties everything together.Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com
Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable
7. Then stop any traffic that is going to (or coming from) the remote clients from beingNATTED.Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable
Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
8. Save the changes.
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
9. Give it a test from a remote client.Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
AnyConnect Commands to Copy and Paste
Simply change the values shown in red;
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
username PeteLong password Password123
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
subnet 192.168.100.0 255.255.255.0
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
username PeteLong password Password123
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
No comments:
Post a Comment